1. Technical Field
The present invention relates generally to a packet analysis apparatus and method and a Virtual Private Network (VPN) server. More particularly, the present invention relates to a packet analysis apparatus and method and a VPN server, which secure evidence against a situation in which a hacker disguises a packet as a normal packet so as to make an attack using a VPN server as a router for the purpose of disguising his or her access location and concealing an action.
2. Description of the Related Art
Recently, as a large number of methods for disguising packets as normal packets by utilizing a VPN server, which supports tunneling and encryption, as a router have been utilized in order to conceal locations and actions, the analysis of such methods is required, but it is not easy to effectively analyze such methods because data and packets are encrypted.
In detail, in order to prove that a hacker uses a Microsoft Point to Point Encryption (MPPE)-based Point to Point Tunneling Protocol (PPTP) VPN server as a router and disguises a packet as a normal packet for the purpose of disguising his or her access location and concealing actions so as to effectively make a cyber attack, it should be verified whether an Internet Protocol (IP) datagram encapsulated in an encrypted VPN packet between the hacker and the VPN server is identical to a plaintext IP datagram between the VPN server and a target.
The most intuitive method of verifying whether the encrypted and encapsulated IP datagram is identical to the plaintext IP datagram is a method of decrypting the encrypted IP datagram, comparing the decrypted IP datagram with the plaintext IP datagram, and verifying the identity between them.
However, in order to decrypt an MPPE packet, a session key used for encryption must be detected, and a password used to log in to the VPN is required so as to detect such a session key.
Since a password is present as a hash value in monitored data, it is not known, and it must be detected via password cracking, and thus decryption is not always successfully performed.
Therefore, there is required a method of verifying whether a VPN packet is identical to a plaintext packet even if decryption has failed. Meanwhile, in the case of an MPPE encryption technique, there is no change in the length of data before and after the encryption of the data, and so identity can be verified via a comparison between the lengths of packets if decryption is impossible.
Therefore, there are currently required a packet analysis apparatus and method and a VPN server to which both a component for comparing the contents of packets and a component for comparing the lengths of packets are applied so that the identity can be verified even if decryption has failed. As related technology, Korean Patent Application Publication No 2012-0044002 is disclosed.